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REMARKS/ARGUMENTS 

Claims 40-53 have been rejected under 35 U.S.C, § 103(a) as being obvious in view of a 
paper entitled ''Further Results on Chinese Remaindering" by Marc Joye, Francios Koeune, and 
Jean-Jaques Quisquater referred to herein as "Joye et al." 

AppUcants respectfully submit thai the disclosure in Joye et al. is not prior art under any 
section of 35 U.S.C. § 102 and cannot, therefore, be used as the basis for the rejection of the 
Examiner of claims 40-53 under 35 U,S.C- § 103 (a). 

Applicants assume that the Examiner is contending that the Joye et aL reference is prior 
art under 35 U-S.C § 102 (a), i.e., the "invention was known or used by others in this country, or 
patented or described in a printed publication in this or a foreign country, before the invention 
thereof by the applicant for the patent." 

A disclosure can be eliminated as a prior art reference if the applicant can show that the 
subject matter of the disclosure is derived from the applicant's own work, "It may not be readily 
apparent from the statutory language that a printed publication cannot stand as a reference under 
35 U.S.C. § 102(a) unless it is describing the work of another. A literal reading might appear to 
make a prior art or printed pubhcation '*prior art" even though the disclosure is that of the 
applicant's own work. However, such an interpretation of this section of the statute would negate 
the one year period afforded under 35 U.S,C. 102(b) during which an inventor is allowed to 
perfect, develop and apply for a patent on his inventiwi and publish descriptions of it if he 
wishes." In re Katt. 687 R2d 450, 454, 215 U.S.P.Q. 14 (CCPA 1982) 

In the present case, the applicants published a paper entitled "On the Importance of 
Checking Computation'' (the "Boneh Pap^') that served as the basis for the disclosure in Joye et 
al. Note that the Joye et al. reference cited the Boneh Paper as reference no. 1. Applicants have 
included herewith a copy of the Boneh Paper cited by Joye et al. for the convenience of the 
Examiner. Applicants submit that there is no disclosure in Joye et al. relevant to claims 40-53 
that is not also in the Boneh Paper. Because the Boneh Paper was not published more than one 
year prior to the application date of the parent application to the present application, i.e., 
September 19, 1997 (or more than one year before the application date of the related provisional 
appUcation of February 7, 1997 as noted below) the Boneh Paper cannot be considered a statutory 
bar under 35 U.S.C, § 102(b). It is improper to use a subsequent paper such as Joye et al. that is 
merely a rehashing of the Boneh Paper as the basis of rejection because the disclosure in Joye et 
al. is merely derived from the work of the inventors of the present invention. If a paper that 
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Appl. No. 09/5 16,910 ^^^^ 

Amdt. Dated June 22, 2004 

Reply 10 Office Action of March 26, 2004 

simply iciterates the published work of the inventois could be used as a prior an reference under 
35 U.S.C. § 102(a) then the one-year grace period granted under 35 U.S-C. § 102 (b) to an 
inventor who publishes or commercially exploits his invention would be useless. 

Even if Joye et al. were assumed to be prior art (rather than a derivation of the inventors' 
own work) under 35 U.S.C. § 102(a) the publication of Joye et al. was not prior to the filing date 
of the U.S. Provisional Patent Application No. 60/036,925 filed February 7, 1997 the benefit of 
which is now claimed through the above amendment. 

Applicants submit that the Examiner has not met his prima facie burden of showing either 
the lack of novelty or obviousness of the claimed invention in view of a prior art reference in that 
the Joye et al reference cannot be considered prior art for the above stated reasons. 

Applicants submit that claims 40-53 are allowable. Applicants hereby request 
reconsideration of claims 40-53, in view of the above discussion, and allowance thereof is 
respectfully requested. 



Respectfully submitted. 



Telcordia Technologies, Inc. 




William A. Schoneman 
Reg. No. 38,047 
Tel.: (732) 699-3050 
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Abstract 



Wc present a theoretical model for breaking various cryptographic schemes by taking advanugc of 
random hardware faults. We show how to attack certain implementations of RSA and Rabin signatures. 
We also show how various authentication proiocols, such as fiat-Shamir and Schnorr, can be broken using 
hardware faults. 

1 Introduction 

Direct attacks on the famous RSA ciyptosystem seem to require that one factor the modulus. Therefore, it is 
interesting to ask whether there are attacks that avoid this. The answer is yes; the firtt was the receipt attack 
based on timing [3]. It was observed tliat a few bits could be obtained from the time that operations took. This 
would allow one to break the system without factoring. 

We have a new type of attack that also avoids directly factoring the modulus. We essentially use the fact that 
from time to time the hardware perfonning the computations may introduce errors. There are several models 
that may enable a malicious adversary to collect and possibly cause faults. We give a high level description: 

'n-ansieKit faults Consider a certification auAority (CA) that is constantly generating certificates and sending 
them out to clients. Due to random transient hardware faults the CA might generate faulty certificates 
on rare occasions. If a faulty certificate is ever sent to a client* that client will be able to break the CA's 
system and generate fake certificates. Note that on various systems, a client is alerted when a faulty 
certificate is received 

Latent faults Latent faults are hardware or software bugs that are difficult to catch. As an example, consider 
the Intel floating point division bug. Such bugs may also cause a CA to generate faulty certificates from 



Induced faults When an adversary has physical access to a device she may nry to purposely induce hardware 
faults. For instance, one may attempt to anack a tamper-resistant device by deliberately causing it to 
malfunction. The erroneous values computed by the device enable the adversary to extract the secret 
stored on it 

*Also at Princ^on University. Supported in part by NSPCCR-9304718. 



time to time. 
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We consider a fault model in which faults are transient That is, the hardware fault only affects the current 
data, but not subsequent data. For instance, a bit stored in a register might spontaneously flip. Or a cenain 
gate may spontaneously produce an incorrect value. Note that the change is totally silent: the hardware and the 
system have no clue that the change has taken place. We assume that the probability of such faults is small SO 
that only a small number of them occur during the computation. 

Our attack is effective against several cryptographic schemes such as the RSA system and Rubin signa- 
tures 18). The attack also applies to several authentication schemes such as Fiat-Shanair [4) and Schnonr [9J. As 
expected, the attack itself depends on the exact implementation of each of these schemes. For an implementation 
of RSA based on the Chinese remainder theorem we show that given one faulty version of an RSA signature 
one can efficiently factor the RSA modulu$ with high probability. The same approach can also be used to break 
Rabin's signatm^ scheme. Hardware faults can be used to break other implementations of the RSA system 
though many more faulty values are required. 

In Section 4 wc show that the Fiat-Shamir identification scheme [4] is vulnerable to our hardware faults 
attack. Given a few faulty values an adversary can completely recover die private key of the party trying to 
authenticate itself. In Section 5 we obtain the same result for Schnorr's identification protocol [9]. Both schemes 
are suitable for use on smart cards. 

It is important to emphasize that the attack described in this paper is cuirently theoretical. We are not aware 
of any published results physically experimenting with ±is type of attack. The purpose of these results is to 
demonstrate the danger diat hardware faults pose to various cryptographic protocols. The conclusion one may 
draw from these results is the importance of verifying the correctness of a computation for sGcurl ty reasons. 
For instance, a smart card using RSA to generate signatures should check that the correct signature has indeed 
been produced. The same applies to a certification authority using RSA to generate certificates. In protocols 
where the device has to keep some state (such as in identification protocols) our results show the importance 
of piotecting the registers storing die state information by adding error detection bits (e.g. CRC). We discuss 
these points in more detail at the end of the paper. 

We note that FTPS [5J publication 140-1 suggests that hardware faults may compromise the security of a 
module. Our results show the extent of the darrmge caused by such faults- 

2 Chinese remainder based implementatioiis 

2.1 The RSA system 

In this section we consider a system using RSA to generate signanires in a naive way. Let = be a product 
of two laige prime integers. To sign a message x using RSA the system computes ac mod N where s is a secret 
exponent. Here the message x is assumed to be an integer in die range 1 to AT (usually one first hashes the 
message to an integer in that range). The security of the system relies on the fact that factoring the modulus N is 
hard. In fact, if the factors of are known then one can easily break the system, i.e., sign arbitrary documents 
without prior knowledge of the secret exponent. 

The computationally expensive part of signing using RSA is the modular exponentiation of the input a?. 
For efficiency some implementations exponentiate as follows: using repeated squaring they first compute 
Rl = I* mod p and J?2 = a;* mod q. They then use the Chinese remainder theorem to compute the signamre 
E = z^ mod A^. We explain this last step in more detail. Let <i, 6 be two precomputed integers satisfying: 

{a = 1 (mod p) ( b = 0 (mod p) 

a = 0 (mod^) "^"^ \b=l (mod g) 
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Such integers always exist and can be easily found given p and q. It now follows that 

E^aEi + bE2 (mod A') 

Thus, the signature E is computed by forming a linear combination of E j and E2 . This exponentiation algorithm 
is more efficient tlian using repeated squaring modulo N since the numbers involved are smaller. 

%2 RSA's vulnerability to hardvvQn; faults 

Our simple attack on RSA signatures using the above implementation enables us to factor the modulus A^ Once 
the modulus is factored the system is considered to be broken. Our attack is based on obtaining two signatures 
of the same message. One signature is the correct one; the other is a faulty signature. At the end of the section 
we describe an improvement due to Arjen Lenstra L7] that factors the modulus using just a single faulty signature 
of a known message M. 

Let Af be a message and let £ = Af * mod be the correct signature of the message. Let JB be a faulty 
signature. Recall that ^? and are computed a$ 

E = aEi + 6i?2 ^ ~ ^^'l ^^'2 

Suppose that by some miraculous event a hardware fault occurs only during the computation of one of &i , 
WLOG* suppose a hardware fault occurs during the computation of ^1 but no fault occurs during the computation 
of E2* Observe that 

B- E = (aEi + 6^2) - («^1 *J^> = <*(^i - -^l^ 

Now, if El - ^1 is not divisible by p then 

gCd(E -E,N)== go^aiEi ^ P^i\ N) = q 

and so can be easily factored. Notice that if the factors of N are originally chosen at random then it is 
extremely unlikely that p divides - i&i. After all, Ei - £li can have at most log N factors. 

To summarise, using one faulty signature and one correct one the modulus used in the RSA system can 
be efficiently factored. We note that the above attack works under a very general fault model. It makes no 
difference what type of fault or how many faults occur in the c<Mnputation of /?] . All we rely on is the fact that 
faults occur in the computation modulo only one of the primes. 

Arjen Lenstra [71 observed that, in fact, one faulty signature of a known message M is sufficient. Let 
E^M^ mod iV. Let £ be a faulty signanire obtained under the same fault as above, that is £ s £• mod q but 
£ ^ K mod p. It now follows that 

gcd(M - E^,N) = q 

where e is die public exponent used to verify the signature, i.e. E^ = M mod Thus, using the faa that 
the message M is known it became possible to factor the modulus given only one faulty signature. This is 
of interest since most implcmentadons of RSA signatures avoid signing the same message twice using some 
padding technique. Lenstra's improvement shows that as long as the entire signed message is known, even such 
RSA/CFX systems are vulnerable to the hardware faults attack. 

The attack on Chinese remainder theorem implementations applies to other ayptosystems as well. For 
instance, the same attack applies to Rabin's signature scheme [8], A Rabin signature of a number z mod N 
is die modular square root of x- The extraction of square roots modulo a composite make$ use of CRT and is 
therefore vulnerable to the attack described above. 

3 
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3 Register faults 

>From here on our attacks are based on a specific fault model which we call register faul cs. Consider 
a tamper-iesistant device. We view the device as composed of some circuitry and a small amount of memory. 
The circuitry is responsible for performing the arithmetic operations. The memory (registers plus a small on 
chip RAM) is used to store temporary values. 

Our fault model assumes that the circuitry contains no faults. On the other hand, a value stored in a register 
may be connpted. With low probability, one (or a few) of the bits of the value stored in some register may flip. 
We will need this event to occur with sufficiently low probability so that there is some likelihood of the fault 
occurring exactly once throughout the computation- As before, all errors are transient and the hardware has no 
clue that the change has taken place, 

4 The Fiat-Shamir identification scheme 

The Fiat-Shamir (4] identification scheme is an efficient method enabling one party. Alice, to authenticate it*s 
identity to another party. Bob. They first agree on an n-bit modulus N which is a product of two laige primes 
and a security parameter t. Alice's secret key is a set of invertibie elements , . . . , 5t mod .V . Her public key 
is the square of tfiese numbers luj = s^, . . , , i?t = (mod N), To authenticate herself to Bob they engage in 
the following protocol: 

1. Alice picks a random r and sends mod N to Bob. 

2. Bob picks a random subset S C { 1 , . , . , i} and sends the subset to Alice. 

3. Alice computes - r • flies mod N and sends y to Bob. 

4. Bob verifies Alice*s identity by checking that = - YlieS '^^ * 

For the purpose of authentication one may implement Alice's role in a tamper resistant device. The device 
contains the secret information and is used by Alice to authenticate herself to various parties. We show that 
using register faults one can extract the secret 5^ , , . . , 3t from the device. We use register faults that occur while 
the device is waiting for a challenge from the outside worid. 

Theorem 4.1 Given i faulty runs of the protocol one can recover the secret ^i,,,.,^^ 
with probability at least half using 0(n^i) arithmetic operations. 
Proof Suppose that due to a miraculous fault, one of the bits of the register holding the value r is flipped 
while the device is waiting for Bob to send it the set 5, In this case. Bob receives the correct value r mod N , 
however y is computed incorrectly by the device. Due to the fault, the device outputs: 

5 = (r+B)n^' 

ies 

where E is the value added to the register as a result of the fault. Observe that since Bob knows the value 
Hies compute 

(T^E)^^=^— (mod AT) 

Since J9 is a binary number of low weight (i.e. a power of 2 or a sum of a few powers of 2), Bob can guess this 
value. If E is guessed correctly then Bob can recover r since 

(r + £?)2-r2=2£;.r+E^ (mod N) 
4 
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and this linear equation in r can be easily solved. Bob's ability to discover the secret random value r is the main 
observation which enables him to break the system. Using the value of r and £ Bob can compute: 



To summarize. Bob can compute the value Ui^s fiiiessing the fault value E and using the formula: 

T[si= .^^^'^ ' (modiV) 

We now argue that Bob can verify that the fault value £ was guessed correctly. Let 2" be the hypothesised 
value of YlieS ^» obtained from the above formula. To verify this value Bob interacts with the device under 
normal conditions so that the device works properly. The point is that Bob uses the same set $ which he used 
when the device generated the fault. The device will now correctly produce two values (rO^ and = r' - fliei' 
Now Bob simply checks that iy')^ = (r^ - T^^ Usually there is only one low-weight value E satisfying the 
relation. In such a case Bob correctly obtains the value of riigs 

Even in the unlikely event of two values E, E' satisfying the relation. Bob can still break the system. 
Observe that the relation (y')^ = (f^)^ ' '^'^ implies that = Uies 4^ ^ ^ low-weight values 
generating two values T, T\ T^T' satisfying the relation then clearly = (T)^ mod N.lfT ^ mod N 
then Bob can already factor iV. Suppose T = -T' mod A'. Then since one of T or T must equal Qves 
of E, E' is the correct fault value) it foUows that Bob now knows rites ^ purposes 

this is good enough. 

The testing method above enables Bob to check whether a certain value of E is the correct one. Since E 
is a low binary weight integer Bob can try ail possible values for E. For instance^ if we assume the fault is a 
single bit flip then there are only n possible values for E (since in this case E = 2^ for some I < A; < n). By 
testing all possible values for E until the correct one is found Bob can compute n»es 

Observe that once Bob has a method for computing Hies for various sets S of his choice, he can easily 
find 51 , ... , 6t. The simplest apjroach is for Bob to construct n»es singleton sets, i.e. sets S containing a 
single element. If 5 = {Ar} then Hie^ = ^ Yie^uo^ the j/s are immediately found. However, it is possible 
that the device might refuse to accept singleton sets 5. In this case Bob can still find the Si^ as follows. We 
repiesentasetJ? C {1,, . . j<}byiischaracteristicvectori/ 6 {0, l}^i.e. i/, = lift 6 SmAU; sOotherwise, 

Bob picks sets S'l , . . . , 5t such that the corresponding set of characteristic vectors Ui Ut form a i x * full 

rank matrix over 2^2* method described above to construct the values Ti = n,€5; 

of the sets , ... , Sj. To determine Bob constructs elements /ij , . . , , at € {0, 1) such that 

oii7l + ... + ati7t = (l,0,0,...,0) (mod 2) 

These elements can be efficiently constructed since the vectors i/i , . . . , l/t are linearly independent over 5^2. 
When all computations are done over the integers we obtain that 

a 1 y 1 + . . . + = (2&1 + 1 , 262, 2^3 , . . , , 2^r) 

for some known integers , . , . , ^t- Bob can now compute si using the formula 
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Recall that the values t'^ » sf (mod N) are publicly available. The values ^2, . . . j can be constructed using 
the same procedure. 

The procedure above made use of t faults and took Oin^t) arithmetic operations. □ 

We emphatiize that the faults occur while the device is waiting for a challenge from the outside world. 
Consequently, the adversary knows at e?tactly what time the register faults must be induced. 

4.1 A modi Acation of the Fiat-Shamir scheme 

One may suspect that our attack on the Fiat-Shamir scheme is successful due to the fact that the scheme is based 
on squaring. Recall that Bob was able to compute the random value r chosen by the device since he was given 
r- and (r ^ E)^ where E is the fauh value. One may tiy to modify the scheme and use higher powers. We show 
that our techniques can be used to break this modified scheme as weD. 

The modified scheme uses some publicly known exponent e instead of squaring. As before, Alice's secret key 
is a setofinvertible elements . . mod Herpublic key the set of numbers i?i ^s\,,,,,Vi-4 mod 
To authenticate herself to Bob they engage in the following protocol; 

1. Alice picks a random r and sends mod A' to Bob. 

2. Bob picks a random subset S C { 1 , , . . , t} and sends the subset to Alice. 

3. Alice computes = r - fl.GS "lOd A'' and sends y to Bob. 

4. Bob verifies Alice's identity by checking that jf" = r • Yiies v» (mod N) . 

When e - 2 thi$ protocol reduces to the original Fiat-Shamir protocol. Using the methods described in the 
previous section Bob can obtain the values L\ ^ mod AT and = mod AT. As before we may 

assume that Bob guessed the value of E correctly. Given these two values Bob can recover r by observing that 
r is a common root of the two polynomials 

z^'^Lx (modA^) and + = ir^ (mod AT) 

Furthermore, r is very likely to be the only common root of the two polynomials. Consequently, when the 
exponent e is polynomial in n Bob can recover r by computing the CCD of the two polynomials. Once Be* 
has a method for computing r he can recover the secrets , . . . , Sf as discussed in the previous section. 

We note that the system can be broken even when a large exponent e < A^ is used, by using a much laiger 
collection of faults. We give the details in the final version of the paper 

5 Attacking Schnorr's identification scheme 

The security of Schnorr's identification scheme [9] is based on the hardness of computing discrete log modulo 
a prime. Alice and Bob first agree on a prime p and a generator g of Z*. Alice chooses a secret integer s 
and publishes y = mod p as her public key. To authenticate herself to Boh, Alice engages in the following 
protocol; 

I . Alice picks a random integer r 6 [0, p) and sends z^g^ mod p to Bob. 
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2. Bob picks a random integer i € [0, T] and sends t to Alice, Here T < pis some upper bound chosen 
ahead of time. 

3. Alice sends u = r 1 • ^ mod p - 1 to Bob. 

4. Bob verifies that g^^z^y* mod 

For the purpose of authentication one may implement Alice's role in a tamper resistant device. The device 
contains the secret information s and is used by Alice to authenticate herself to various parties. We show that 
using register faults one can extract the secret a from the device. 

Theorem 5»1 L&t p be an n-hit prime. Given nlogn faulty runs of tJio protocol 
one can recover the secret a with prohahllity at least ^ using Oin^) arith- 
metic operations. 

Proof Bob wishing to extract the secret information stared in the device first picks a random challenge t. 
The same challenge will be used in all invocations of the protocol. Since the device cannot possibly store all 
challenges given to it thus fan it cannot possibly know that Bob is always providing the same challenge f. The 
attack will enable Bob to determine the value t • a mod p from which the secret value s can be easily found. For 
simplicity we set x=ts mod p and assume that mod p is known to Bob. 

Suppose that due to a miraculous fault, one of the bits of the register holding the value r is flipped while 
the device is waiting for Bob lo send it the challenge t More precisely, when the tliird phase of the protocol is 
executed the device finds f = ir+2* in the register holding r. Consequently, the device will output n ~ f +a: mod p. 
Bob can determine the val ue of i (the fault position) by trying all possible values « = 0, . . . , n until an i satisfying 

g^ = g^'9'9'' (modp) 

is found. Assuming a single bit flip, there is exactly one such t . The above identity proves to Bob that f = r + 2* 
showing that the i*th bit of r flipped from a 0 to a I. Consequently, Bob now knows that indeed that i'th bit of 
r must be 0. Similar logic can be used to handle the case where f = r - 2*. In this case Bob can deduce that 
thefth bitof r is 1. 

More abstractly. Bob is given z-pr^^), . . . , z+r^^) mod pforrandom values . . . , (jecaU A: n logn). 
Furthermore, Bob knows the value of some bit of each of r^^), . . . , r^*>. We claim that from this infomaation 
Bob can recover x in time O(n^). We assume the faults occur at uniformly and independently chosen locations 
in the register r. It follows that with probability at lea$t | a fault will occur in every bit position of the register 
r. In other words, for every 1 < » < n there exists an t-W among t^^\ . . . , r<*) such that the i'th bit of r^O is 
known to Bob (we regard the first bit as the LSB). 

To recover x Bob first guesses the log 8n most significant bits of 2. Later we show that Bob can verify 
whether his guess is correct Bob tries all possible log 8n bit strings untH the correct one is found. Let be the 
integer that matches x on the most significant log 8n bits and is zero on all Other bits. For now we assume that 
Bob correctly guessed the value of X. Bob recovers the rest of x starting with the LSB. Inductively suppose 
Bob already knows bits x,^i ... 3:2x1 of ^ anitially i = 1). Let / = VXy To determine bit x,- Bob uses 
fW, of which he knows the t*th bit and the value of z + r^^X Let 6 be the t'th bit of rW, Then 

Xi = 6® i'th bit(r +rW y - X modp ^ 1) 

assuming no wrap around, i.e., z + r« - y - ^ < p - 1. Since x^X < p/Sn wmp around will occur only if 
^(0 X, (1 ^ ^)p^ Since the r's are independently and uniformly chosen in the range (0, p) the probability that 
this doesn't happen in all n iterations of the algorithm is more than |, 

7 
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To summarize we see thai once X is guessed correctly the algorithm runs in linear time and outputs i with 
probability at least ^, (The reason for the ^ Is that both all bits of r should be "covered" by faults and all 
should not be too large. Both events are satisfied with probability at least ^0 Of course, once a candidate x 
is found it can be easily verified using the pubhc data. There are 0(n) possible values for X and hence the 
running time of this step is Oin^). ° 

We note that the attack also works in the case of multiple bit flips of the register r. As long as the number 
of bit flips is constant, their exact location can be found and used by Bob. We also note that the faults we use 
occur while the device is waiting for a challenge from the outside world. Consequendy, the adversary knows at 
exactly what time the faults should be induced. 

6 Breaking other implementations of RSA 

In Section 2.1 we observed that CRT based implementations of RSA can be easily broken in the presence of 
hardware faults. In this section we show that using register faults it is possible to break other implementations 
of RSA as well. Let N be an n-bit RSA composite and a a secret exponent. The exponentiation function 

^ y 2* mod N can be computed using either one of the following two algorithms (we regard bit one as the 

LSB and bit n as the MSB): 

4 Algorithm I 

init y *- X ; z ^ I. 

main For A: = 1,, . .,71. 

If jfc'ih bit of s is 1 then z ^ z^y (mod N), 
y (mod N), 

Output 
• Algorithm n 
tnit z *^ X, 

main For ^ =s n - 1 down to L 

If jfe'th bit of ^ is 1 then z *~ z'^-x (mod N). 
Otherwise, z ^ z^ (mod N), 

Output z. 

For both algorithms given several faulty values one can recover the secret exponent in polynomial time* 
Here by faulty values we mean values obtained in the presence of register faults. The attack only uses erroneous 
signatures of randoznly chosen messages; the attacker need not obtain the correct signature of any of the 
messages. Funhermore, an attacker need not obtain multiple signatures of the same message. The following 
re$ult was the starting point of our research on fault based crypUnalysis: 

Tlieoyem6.1 With probability at least the secret exponent s can be extracted 
from a device implementing the first e^onGntiaticffi algorithm by collecting 
(n/m)logn faults and 0(2"* *n^) RSA encryptions, for &ny 1 ^ m < n, Por 
public exponent d this takes 0(2"* -n*) time. For random d it takes 6(T^^n ) 
time, 

8 
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Proof Wft use the following type of faults: let it/ € be a message to be signed. Suppose that at a single 
random point during the computation of Ai ' mod N a register fault occurs. That is, at a random point in the 
computation one of the bits of the register z is flipped. We denote the rt;sutting erroneous signature by £. We 
intend to show that an ensemble of such erroneous signatures enables one to recover tha secret exponent s, Kven 
if other types of faulty signatures are added to the ensemble, they do not confuse our algorithm. 

Let I = (n/m)logn and let Af i , . . Mi G Za; be a set of random messages. Set Ei ^ Mt mod ;V to be 
the correct signature of Mi. Let Ei be an erroneous signature of Mi. A register fault occurs at exactly one 
point during the computation of J^j. Let ki be the value of k (recall k in the counter in algorithm I) at the point 
at which the fault occurs. Thus, for each faulty signature ti there is a corresponding indicating the time at 
which the fault occurs. We may sort the messages so that 1 < A i < ^2 ^ • • • ^ ^ ^* '^^^ the 
faults occur \^ chosen uniformly (among the n iterations) and independently at random. It follows that given / 
such faults, with probability at least half -ki<m for alH ^ 1, . . . , m- Since we do not know where the 
faults occur, the values fc, are unknown to us. 

Let 3 = fi„ fin- 1 ^ 1 be the bits of the secret exponent s . We recover a block of these bits at a time staning 
widi the MSBsrSuppa<ie we already know bits ^n^n-i -^^^h for somfi L Initially « Z + 1 indicating that no 
bits are known. We show how to recover biu ^^..16^,-2 ■ - * intend to try all possible bit vectors 
until the correct one is found. Since even the length of the block we are looking for is unknown, we have to try 
all possible lengths. The algorithm works as follows: 

1. Foralllengthsr = 0,l,2,3...do: 

2. For all candidate r-bit vectors Hki-l'^K^l • • •^fc.-r do: 

3. Set w = Yy^k' ^P*^ + IZj4*.-r ^i^^- -^^ words, w matches tfie bits of a and u at all knovwi bit 
positions and is zero everywhere else. 

4. Test if the current candidate bit vector is correct by checking if one of the erroneous signatures Ej , j - 

satisfies ^ 

3ee{0,...,n} s-t. {E^^ruf) = (mod ^) 

RecaU that d is the public signature verification exponent. The ± means that the condition is satisfied if 
it holds with either a plus or minus- 

5. If a signature satis^ing the above condition is found output U),.^\u^^2'-'^h-r^^ stop . At this point 
we know that Af,_i ^ki-r and Ski'\^ki-2 » - = ^ki-l'^ki^2 - • -^^ki-r- 

The condition at step (4) is satisfied by the cotrea candidate u^,^ i • • • ^ . To see this recall that 
ft. 1 is obtainedfromafaultattheJfci.i 'St iteration. That is. at the Avf^t iteration the value of was changed 
tol - z ± 2*^ for some e. Notice that at this point = ^M^lj . From thai point on no fault occoired and 
therefore the signature j satisfies 

^ zMf__i = ± 2^M;Ii (mod N) 

When in step (4) the signamre J5,_i is corrected it property verifies when raised to the pubUc exponent 
Consequently, when the correct candidate is tested, the faulty signamre JS.-.i guarantees that it is accepted. 

We still need to show that a wrong candidate will not pass the test with high probability. Suppose some 
signature incorrectly causes the wrong candidate to be accepted at some point in the algofrithm. That is. 
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i)^ ± 2^M^ = E'v mod N even though Ev wa$ generated by a different fault (here v: is d^sfined as in step (3) 
using the bits of u')- We know that ^ ± 2"! A/^^ for some e j , tt? ^ Therefore, 

± 2'1 My^ ± =; (mod N) 

In other words, Mv is a root of a polynomial of the form ai^'*'! + 02^*^ = ^ ^ 5 <*2. ^• 

The number of roots of such a polynomial is upper bounded by a ^ gcd(v;i - w2y^(N)), Since the message 
Af„ is chosen independently of the fault location (i.e. independently of ei , it follows that is a root 
with probability at most a/N, Consequently, the probability that a wrong candidate u' is accepted at a specific 
invocation of the equality test at step (4) is bounded by m/N. The equality test is invoked only I'^Ttr times and 
hence the probability that a wrotig candidate is ever accepted is bounded by l^n^n/N . We argue that with 
high probability a < which will prove that a wrong candidate is never accepted with probability at 

least 1 - i. 

To see that a < NfV^n^ define be the largest prime divisor of ipiN\ Clearly q > T^n^ since 
otherwise one can easily factor the modulus N m {I'^Tip^^'^ time. It follows that if otfN > l/2^n^ then q 
divides - W2- Observe that there are at most 2"*n^ possible values for - to^. Therefore, when the 
secret exponent s is random, the probability that q divides any of the possible values for toj - t£^2 is at most 
T^n^/q < This proves that a/N < l/T^n^ with probability at least 1 - ° 

If one allows the algorithm to obtain both the faulty and correct signanire of each message Mi then Ae 
mnning time of the algorithm can be improved to OCT'j?) arithmetic operations modulo N which take time 
OiT^nh' This follows since the error location c can be easily found using a lookup table of powers of two 
mod JV, 

7 Protecting against an attack based on hardware faults 

One can envision several methods of protection against the type of attack discussed in the paper. The simplest 
method is for the device to check the output of the computation before releasing it. Though this extra verification 
step might reduce system perfonnance^ our attack suggests that it is crucial for security reasons. 

Our attack on authentication protocols such as the Bat-Shamir scheme uses a register fault which occurs 
while the device is waiting for a response from the outside worid. One can not protect against this type of a t^ult 
by Simply verifying the computation. As far as the device is concerned, it computed the correct output given 
the input stored in its memory. Therefore, to protea multi-round authentication schemes one must ensure that 
the internal state of the device can not be effected. Consequently, our attack suggests that for security reasons 
devices must protect internal memory by adding soine error detection bits (e.g. CRC). 

Another way to prevent our attack on RSA signatures is the use of random padding. See for instance the 
system suggested by Bellaie and Rogaway (!]. In such schemes the signer appends random bits to the message 
to be signed. To verify the RSA signaoirc the verifier raises the signature to the power of the public exponent 
and verifies that die message is indeed a part of the resulting value. The random padding ensures that the signer 
never signs the same message twice. Furthermore, given an erroneous signatune the verifier does not know the 
full plain-text which was signed. Conscquendy, our attack cannot be applied to such a system. 
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8 Summary 

We described a general attack which makes use of hardware faults. The attack applies to several cryptosystems. 
We showed that encryption schenies using Chinese remainder, e.g. RSA and Rabin signatures, are especially 
vulnerable to this kind of attack. Other implementations of RSA am also vulnerable though many more faults 
are neces$ary. The idea of using hardware faults to anack cryptographic protocols applies to authentication 
schemes as well. For instance, we explained how the Rat-Shamir and Schnoir identification protocols may be 
broken using hardware faults. 

Verifying the computation and protecting internal storage using error detection bits defeats attacks based 
on hardware faults. We hope that this paper demonstrates that these measures are necessary for security 
reasons. Methods of program checking [2] maycomein useful when veri^ing computations in ciyptographic 
protocols. Specifically, a recent resuk of Frankel, Genunel and Yiing {61 could prove useful in this context. 
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